If it fails in sdio_init_func(), sdio_remove_func() can not
free the memory that allocated in sdio_alloc_func(), because
sdio_add_func() is not called yet, the sdio function is not
presented and sdio_remove_func() will return directly.
In this error path, we can not call put_device() to free the
memory in sdio_release_func(), because sdio_read_func_cis()
may fail, then sdio_free_func_cis() is called in release()
funtion which could cause put the reference that has not
been got.
So fix these leaks with calling kfree() instead of sdio_remove_func()
in error path.
Fixes: 3d10a1ba0d37 ("sdio: fix reference counting in sdio_remove_func()")
Reported-by: kernel test robot <lkp@xxxxxxxxx>
Signed-off-by: Yang Yingliang <yangyingliang@xxxxxxxxxx>
---
drivers/mmc/core/sdio.c | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/drivers/mmc/core/sdio.c b/drivers/mmc/core/sdio.c
index f64b9ac76a5c..f314224b362b 100644
--- a/drivers/mmc/core/sdio.c
+++ b/drivers/mmc/core/sdio.c
@@ -133,11 +133,8 @@ static int sdio_init_func(struct mmc_card *card, unsigned int fn)
return 0;
fail:
- /*
- * It is okay to remove the function here even though we hold
- * the host lock as we haven't registered the device yet.
- */
- sdio_remove_func(func);
+ kfree(func->tmpbuf);
+ kfree(func);
return ret;
}
--
2.25.1
